What is Weak Password Test?

Weak Password Test is a free tool which examines the passwords of accounts in your Active Directory (AD) to determine if your organization is susceptible to password-related attacks.

The results will display which user accounts failed the test and why. This information can empower you to increase your organization's password complexity requirements, train your users on safe password practices, or take other actions to help bolster your cyber security posture.

How Does it Work?

The Weak Password Test will connect to AD to retrieve your password table (containing hashed passwords) and encryption algorithm. The tool then analyzes the passwords against ten failure types, described in detail below.

Is my Information Safe?

Yes. It's important to note that this tool will never display or report the actual passwords of any user accounts in AD. Passwords within AD are in a hashed format and will never be visible at any point. The test results will simply identify the user accounts which fail the test so you can decide how to remedy that.

Additionally, the data pulled from AD is encrypted. The information obtained during the test is saved in local memory, not to disk. None of the information from your Active Directory will be transmitted to us at any point during the test.

IMPORTANT!The credentials you use to connect to Active Directory with Weak Password Test must have “Replicating Directory Changes” and “Replicating Directory Changes All” permissions for the test to run successfully. This permission allows you to obtain a copy of your password table for analysis.

A domain admin does not have permission by default to access this information, so using the tool with a domain admin account will not necessarily allow you to run the test successfully.

We strongly recommend creating a new account in AD with these permissions for the purposes of running this test. Once the test is complete, you should delete this new account in accordance with the principle of least privilege.

Why create a new account? Creating a new account will make it easier to determine when this test took place and which account accessed the information, should you need to look for that information in the future. It also makes it easier to remove those permissions: once the test is done, simply delete the newly-added user account.

Upon signing up, we will email you a unique license key, which you’ll need to enter prior to running the test.

(2) Download and run the installer file for Weak Password Test. Review and agree to the License Agreement and then click Install to complete the installation. Weak Password Test will be automatically saved to your Desktop.

(4) Next, enter your unique License Key, which was emailed to the email address you signed up with. Click OK.

(5) Next, you'll need to enter the details listed below.

(a) Domain name of your Active Directory (For example, mydomain.com or mydomain.local)(b) Internal IP of your Domain Controller (DC) (For example, 10.20.10.10)(c) The username and password for the account you created which has "Replicating Directory Changes" and “Replicating Directory Changes All” permissions

After entering the above information, click Start Test when you are ready to begin your test.

(6) The test will analyze your Active Directory accounts for weak passwords. This process usually takes less than a minute to complete but may take longer depending on your Active Directory and workstation performance.

(7) Your results will be displayed on-screen as soon as the test is complete.

Analyzing Your Results

The results of Weak Password Test will show you the number of accounts which are vulnerable, as well as those that are not vulnerable. You will see a pie chart which will compare the total number of vulnerabilities found, indicating what password vulnerabilities are most prevalent in your organization.

Each of your AD accounts will be listed and a checkmark will indicate the specific vulnerabilities that were found on that particular account. You can click each of the vulnerabilities on the left to filter the results to only show the accounts which have that vulnerability. You can also search for a specific account by entering characters into the search box.

Types of Failure/Vulnerabilities

The Weak Password Test analyzes your data to look for ten different failure types which can leave your organization vulnerable to an attack, listed below:

1) Weak PasswordsThis means the affected account's password matched one of those listed in our Weak Password dictionary (weakpasswords.txt). These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.

2) Non-Unique PasswordsThis failure indicates that the affected account shares a password with at least one other account.

3) Empty PasswordsThese are accounts which do not have a password defined.

5) Password Not RequiredThese are accounts which have the capability of having no password on the account.

6) Password Never ExpiresThis account has a password that never expires.

7) LM HashesThis means the affected account uses a LAN manager hash. This an antiquated method of hashing passwords. These passwords are vulnerable to brute force attacks and can be cracked by hackers within seconds.

8) AES Keys MissingAccounts affected by this were set up using older functional AD levels and as such have no Advanced Encryption Standard (AES) keys. As such, they use weaker encryption methods.

9)DES-only EncryptionAffected accounts were set up using the older and since retired Data Encryption Standard (DES) mechanism. This could be a result of old software which doesn’t know how to react to AES.

10) Pre-authentication MissingAffected accounts have an important security mechanism turned off which can open up the account to offline, difficult-to-detect brute force attacks. The security mechanism, when enabled, creates an encrypted authentication request so that attempts to authenticate to the account are logged.

You can filter the results by failure type if you'd like to analyze a specific vulnerability. Simply click on the failure type towards the left side of the program. Once it is highlighted orange, it will display only that failure type.

Frequently Asked Questions (FAQs)

Below are questions you may have regarding Weak Password Test. If you don't see your question answered below, contact support.

A. Can I see what the weak passwords are?

No. The passwords are hashed and cannot be displayed.

B. Are any log files generated during the test?

No. No log files are created. You can save your results by exporting to Excel or PDF.

C. I received an error message and my test did not run. What do I do?

If you received an error and could not complete the test, check the chart below to analyze what the issue may be:

Error Message

Issue

The Active Directory account you are attempting to run the test with does not have Replicating Directory Changes Permissions. Please view the required Prerequisites in our manual, linked below.

The account you are using for the test does not have the proper permissions. Make sure you've created an account with Replicating Directory Changes AND Replicating Directory Changes - All Permissions. See above.

Test was unable to run due to invalid user name and/or password. Please check your credentials and try the test again.

We were unable to connect to your Active Directory using the credentials you provided. Make sure your user name and password are correct and try to run the test again.

This means your Domain Controller IP is incorrect, or incorrectly formatted. Double check the IP and attempt to run the test again.

The license validation failed.

This is likely to mean one of two things: a) either the license key you are using is invalid, or b) you are attempting to validate the license key through a proxy and it is failing as a result of that. If the error is due to a proxy, simply allow connections to this domain in your proxy settings to allow the validation of your license key to occur: https://api.wpt.knowbe4.com/v1/licenses

Hackers use similar dictionaries to attempt to crack your organization’s passwords. This type of weak password is only one of the vulnerabilities we are looking for, however. The Weak Password Test analyzes ten different variations of password vulnerabilities.

E. Can I run this test multiple times?

Absolutely. If you want to run the test again, just click the Rerun test button, as shown below. Be sure to download a PDF or Excel sheet of your current results before running a new test.

F. Can I run this test if I’m using Azure?

No.

G. My anti-virus flagged this as dangerous. Is it?

No, it is not dangerous. Weak Password Test’s behavior could mimic that of a password-cracking tool used by hackers, which is why your antivirus may have flagged it as potentially dangerous.

H. I had several users fail the test. What do I do now?

First and foremost, train your users on proper password practices with security awareness training and remind them often. It is important for them to know that hackers can crack a password within seconds with the right tools in hand. KnowBe4 offers several courses which you can train your users with that covers these topics.

For many of the vulnerabilities, you’ll also want to enforce stricter password requirements in your organization. We strongly recommend increasing your password complexity requirements and setting a rule to ensure passwords expire on a regular basis.

While we cannot advise you on the specifics of how to remedy all of the password vulnerabilities in your organization, we can point you in the direction of some great resources which can help.